[BlueOnyx:26350] Re: CalDAV + CardDAV (Contacts & Address Books) integration for BlueOnyx?

Wed Jul 5 13:04:20 -05 2023

Hi Rodrigo,

> Only review the security implications of radiale.org,
> 
> Any open CVEs that might compromise BlueOnyx security.
> 
> 
> https://www.cvedetails.com/vulnerability-list/vendor_id-15782/product_id-331
> 31/Radicale-Radicale.html

Yeah, I've seen those as well and it is good that you mention it. We 
will be using "radicale3-3.1.8" from Epel on 5211R and I believe the 
version for 5210R will not be much older either. Both are much newer 
than the vulnerabilities you mentioned. The latest CVE from 2017 
(CVE-2017-8342) for example is now directly mitigated by a built in 
brute force detection and enforcing a growing delay on authentication 
after each failed login.

In fact the *really* tight security in Radicale v3 has already driven me 
nuts and complicated the integration tremendously.

It runs as unprivileged user "radicale" in a Systemd jail. That jail has 
its own /tmp and Radicale only has access to it's own home directory 
/var/lib/radicale. Beyond that Radicale is unable to elevate its own 
privileges, capabilities and can't modify ControlGroups or access 
devices or anything kernel related:

----------------------------------------------------------------
[root at 5211r ~]# cat /usr/lib/systemd/system/radicale.service
[Unit]
Description=Radicale CalDAV and CardDAV server
Documentation=https://radicale.org/3.0.html#documentation
After=network.target
Requires=network.target

[Service]
ExecStart=/usr/libexec/radicale/radicale
Restart=on-failure
Type=exec
User=radicale
Group=radicale
UMask=0027
WorkingDirectory=/var/lib/radicale
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
NoNewPrivileges=true
CapabilityBoundingSet=
ReadWritePaths=/var/lib/radicale/
----------------------------------------------------------------

That is about as tight as you can configure something.

Which also meant that Radicale itself didn't even have the ability to do 
any authentication itself and was either accessible to anyone (like: 
when you use it in internal networks) or relied on htpasswd protection 
via htpasswd file *in* the jail. Or mod_proxy and mod_authnz_external 
password protection in Apache itself and passing the user-name via 
%{REMOTE_USER} *after* the external authentication had been satisfied.

Something like this:

----------------------------------------------------------------
RewriteEngine On
RewriteRule ^/radicale$ /radicale/ [R,L]

<Location "/radicale/">
     AuthType     Basic
     AuthName     "Radicale - Password Required"
     AuthUserFile "/etc/radicale/htpasswd"
     Require      valid-user

     ProxyPass        http://localhost:5232/ retry=0
     ProxyPassReverse http://localhost:5232/
     RequestHeader    set X-Script-Name /radicale
     RequestHeader    set X-Remote-User expr=%{REMOTE_USER}
</Location>
----------------------------------------------------------------

While that is good, it makes GUI-integration a real hassle.

Access to the authentication layer via PAM? Nope! Not possible from 
within that strict jail. Even if: An unprivileged user can only PAM auth 
his own credentials and not those of someone else.

So I had to devise a secure method how Radicale can auth over the 
network (by letting Radicale do a POST request to Apache on "localhost" 
against a new /internalauth" URL that checks username and passwords and 
reports if they're fine or not. And then I wrote a Python authentication 
module for Radicale which uses that method.

Even then I can't do an auto-login from the GUI into the Radicale 
backend, as it has cross-site scripting protection enabled (so a remote 
POST request won't work) and on top of that: It prevents hitting the 
"submit" button via a jQuery script, which is another way I tried to get 
auto-login working from inside the GUI.

In principle I have it all working now (minus the auto-login) and the 
code is in SVN:

https://devel.blueonyx.it/trac/browser/BlueOnyx/5211R/ui/base-organizer.mod

As I can't get auto-login into the backend working I'll be doing a full 
GUI integration of Radicale instead. That way we can manage all Radicale 
aspects from within the BlueOnyx GUI, using BlueOnyx methods. And then 
we don't need the GUI that Radicale itself brings with it. At least not 
for the management. It's still used when someone accesses CalDAV or 
CardDAV to access calendars and/or contacts.

By the weekend I should perhaps have it ready for 5211R and will then 
port it to 5210R as well.

-- 
With best regards

Michael Stauber